Your account will be closed in 24h!

Yahoo phishing

Thursday night and checking Facebook on my mobile before going to sleep. One of my friends is complaining about how hard it is to use Yahoo mail abroad. Problem logging in and now there’s some problem with the account. “Your E-mail account has exceeded its limit and needs to be verified, if not verified within 24 hours, we shall suspend your account. Click Here to verify your email account now.” And when you try to resolve it, it doesn’t even work. You just end up on the login page! Damn Yahoo!

Stop! This message is not about a problem with the mail system, it’s a very typical phishing mail. I responded with a warning, and yes, the link had indeed been clicked and the credentials entered on a page that looked like the Yahoo login page. That made my friend a phishing victim like so many other Internet users. It was the beginning of a long night trying to figure out how to change the mail password using a tiny mobile screen. But the case came to a happy end. The password was apparently changed before the attackers had a chance to take benefit from the account, thanks to the swift reaction.

How to spot a phishing attempt?

  • It arrives as a mail message. Mail can be sent by anyone and it is trivial to spoof the sender’s address so that it seems to come from your mail operator or some other company you trust.
  • People think less when they are afraid so it tries to create a sense of danger. Something bad will happen unless you react. The closure of your account is a very common threat when phishing for e-mail accounts.
  • People think less when in a hurry so it tries to create a sense of urgency. You need to act right now. This lowers the risk that the victim checks out the facts first. The 24h deadline is a typical trick to achieve this.
  • It links to a web page that looks like an official page of, for example,  your mail operator. But it is actually controlled by the attacker, who also receives any information you enter. You are hacked if you enter your mail user name and password, or other valuable information.

My friend is not a computer newbie, and did in theory know all this. But the attack succeeded anyway. How is this possible? Imagine that it is late in the night and you are tired. There are other people distracting you. You are traveling and really depending on your mail account. And on top of that, you have had problems and expect even more trouble with this operator. So this is a very typical situation where the fingers can be faster than the brains. This is really the optimal situation for an attacker to hit, and they happened to send this phishing mail at the right wrong time.  Honestly, are you sure this couldn’t happen to you?

Ok, so what should I do to avoid being phished?

  • First of all, do not click links in mails! This is not just about phishing, many get malware too by clicking links. But there are also legitimate links that friends send to you. So you should always think about who the sender is (remember, the apparent sender can be spoofed), in what style and language the message is written, what the claimed content of the link is and how does all this fit together? To summarize, do I expect this kind of message from this person (or company) at this time? This way you should be able to spot the legit links.
  • If in doubt, check what address the link is taking you to before you click. Note that the text forming the visible part of the link may look like a web URL but still be linked to a totally different address. Hover the mouse pointer over the link and examine the address that the mail client or browser shows you. Make sure that the address match the company or site that the link is claimed to point to. For example: The login to Gmail should start with “” but a phishing site targeting Gmail may use an address like “”. The latter does NOT belong to Gmail.
  • Get familiar with the login URLs of your favorite services BEFORE you run into a phishing mail. Then it is a lot easier to spot the spoof. The address may look long and nerdy, but you only need to mind the part after the double-slash “//” but before the first single slash. That part identifies the server that you will access. (Your browser may show the address without the initial “http://”, in that case just examine the part before the first slash.)
  • Get familiar with the concept of secured web pages and how to recognize them. Login pages of important services are typically protected this way. Their addresses start with “https://” instead of “http://” and your browser shows a lock or similar symbol next to the address field. You can examine the certificate of the server you are connected to by clicking the lock, and this is reasonable hard proof about who’s running the service. Needless to say, the phishing sites can’t duplicate these cryptographic certificates.
  • If you suspect that there really may be a problem with your mail account, then log in with the link that you normally use to access the account. Do not use a link in a mail message. Look for info banners and pop-up messages shown in the browser after you have logged in. These messages are a lot more reliable and can generally be trusted. Mail operators are well aware of the phishing threat. If you get a mail claiming that there’s a problem, then you can be pretty sure that it isn’t true. The mail operators do not communicate in that way.
  • If you still fall for the scam, attempt to change your password right away. This is also a good time to think about if you have used the same password on other services. Say that is using the same password as If one get hacked, then the hacker just need to try some of the common mail services to get access to more accounts. This would be a good time to brush up your password practices.

As a practice, examine the link above and try to figure out where it points and what company it belongs to without clicking it.

Safe surfing,

Phishing @ Wikipedia.

Phishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

More posts from this topic


F-Secure Bringing a totally new Future for the Internet to SLUSH 2015

#SLUSH15 is almost here, and F-Secure’s participating in this year’s event in a big way. There’s going to be a big #smartsecurity announcement about the Internet of Things, as well as a couple of presentations from F-Secure personnel. SLUSH, a well-known exposition for startups in the tech industry, has become a huge international event. Both SLUSH and F-Secure call Helsinki home, so it’s only natural for F-Secure to be an active participant at the annual conference. F-Secure made waves last year after the cybersecurity company hacked the venue’s bathrooms to get people talking about online privacy. Several of the company’s researchers and personnel also put in appearances at last year’s SLUSH, including cyber security expert Mikko Hypponen, and F-Secure’s Executive Vice President, Consumer Security, Samu Konttinen. [youtube] [youtube] And they’re both back this year! This year, Samu will be giving a keynote address on SLUSH’s Silver Stage. His talk is called “Your home, your rules – The internet of what ifs”, and runs from 11:45am to 12:00pm (Helsinki time) on November 11th. Samu’s enthusiasm for topics related to security and online privacy will give people valuable insights into how IoT devices are creating new security challenges, and what people can do to protect themselves. Mikko will be appearing on SLUSH’s Black Stage at 9:25am (Helsinki time) on November 12th, where he’ll deliver a talk called “The Online Arms Race”. Mikko recently did an interview about this same topic for, so you can check that out if you want a quick preview about Mikko’s thoughts on this matter. You can follow all of F-Secure’s SLUSH news by following @FSecure_Sense, @FSecure_IoT, and @FSecure on Twitter.

November 10, 2015

Advertising – to block or not to block? (Poll)

I have become pretty immune to advertising on the net. The brain develops an algorithm to locate the relevant content and filter out the junk around it. Frankly speaking, ask me about what ads there were on the page I just visited, and I have no clue. And I believe that’s true for many of us. Except that our internal ad-blockers aren’t perfect. The advertising may still affect us unconsciously. This issue has been in the headlines a lot since Apple introduced a simple way to implement ad-blocking on iPhones and iPads. Many took advantage of the opportunity and released new tools, among them the excellent F-Secure ADBLOCKER. And many media providers got upset as this development will no doubt increase the usage of ad blocking, and thus reduce advertising revenues. Some newspapers are already attempting to prevent users with ad-blockers from using their site at all. And some publishers admit that advertising has gone too far and they had it coming. So let’s take a look at the pros and cons of advertising. First the pros. Advertisers pay for your “free” stuff. It makes it possible to get a lot of excellent services and content without paying money. Instead you pay by exposing yourself to ads and letting companies profile you for targeted advertising. Some may actually find ads, especially well targeted ads, useful. They may contain special offers and campaign codes that are of true value to you. Advertising can be entertaining. And then the longer list, the cons. Advertising often disturbs your user experience. You have to locate the beef among glossy blinking ads. And you may even have to dodge pop-ups to actually see your content. Advertising may lure you to make more, often unnecessary, purchases. That’s basically the objective of advertising. Advertising often tries to trick you into opening the advertiser’s site. For example by mimicking a Next- or Download- button in the ad. Advertising may show content that is unsuitable for the viewer. Advertising can be a way to deliver malware. Ads are delivered from separate servers. A compromised ad server may show infected ads on sites with a good reputation. I.e. in places where you don’t expect to run into malware. Advertising will consume bandwidth and make pages load more slowly. This can cost you real money depending on your data plan. Advertising is the main reason to track you. Many companies attempt to profile you as accurately as possible to make targeted advertising more effective. Good targeted advertising may not be evil in itself, but misuse of the collected data is a real threat. It seems likes the cons win hands-down. But there is one argument in favor of advertisement that deserves some more attention. The publishers who take an aggressive approach against ad-blocking typically say that blocking ads is like taking a free ride. You try to benefit from free content without paying the price. And this is an argument that can’t be dismissed just like that. Remember that advertising is the engine for a significant part of the net. Imagine that 100% of the users would use 100% effective ad-blockers. What would our virtual world look like in that case? I don’t know, but it would definitively be a different world. But on the other hand, it’s easy to find sites where advertising definitively has gone overboard. So it is understandable if the advertisers receive little sympathy for their fight against ad-blocking. This is yet another question without any clear and simple answers. So let’s pass it to you, dear readers. What do you think about advertising on the web? [polldaddy poll=9139628]   [caption id="attachment_8591" align="aligncenter" width="1024"] Article trying to defend advertising. The beef is there under the ad. ;)[/caption]   Safe surfing, Micke   Image: iPhone and screenshots  

October 22, 2015